pub fn sanitize_for_comment(input: &str) -> String👎Deprecated since 0.4.0: Do not use - backslash escaping doesn’t work in Rust comments. Use quote! macro instead.
Expand description
DEPRECATED AND UNSAFE: Do not use for user input in comments
§⚠️ SECURITY FIX #2
This function is FUNDAMENTALLY UNSAFE and should never be used for user input.
Problem: In Rust block comments /* ... */, backslash has NO special meaning.
Therefore, escaping with backslash provides no protection against breakout attacks.
Example attack:
ⓘ
input = r"\*/"
escaped = r"\\*\/" // Attempted escaping
in_comment: /* \\*\/ */ // The */ STILL ends the comment!§Migration
Use quote! macro for user input instead:
ⓘ
quote! { let comment = #user_input; } // Properly escapedOr use line comments with escaped newlines:
ⓘ
let comment = format!("// {}", user_input.replace('\n', "\\n"));§Reason for Deprecation
Backslash escaping does not work in Rust comments. This function was based on a false assumption about comment semantics and cannot provide real protection.